Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Real-time protection

The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

Several tags are similar between this section and <on_demand_scanning>.

<forticlient_configuration>

<antivirus>

<real_time_protection>

<enabled>1</enabled>

<use_extreme_db>0</use_extreme_db>

<when>0</when>

<ignore_system_when>0</ignore_system_when>

<on_virus_found>0</on_virus_found>

<popup_alerts>0</popup_alerts>

<popup_registry_alerts>0</popup_registry_alerts>

<bypass_java>0</bypass_java>

<cloud_based_detection>

<on_virus_found></on_virus_found>

</cloud_based_detection>

<compressed_files>

<scan>1</scan>

<maxsize>2</maxsize>

</compressed_files>

<riskware>

<enabled>1</enabled>

</riskware>

<adware>

<enabled>1</enabled>

</adware>

<heuristic_scanning>

<level>3</level>

<action>0</action>

</heuristic_scanning>

<scan_file_types>

<all_files>1</all_files>

<file_types>

<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

<include_files_with_no_extension>0</include_files_with_no_extension>

</file_types>

</scan_file_types>

<exclusions>

<file />

<folder />

<file_types>

<extensions />

</file_types>

</exclusions>

</real_time_protection>

</antivirus>

</forticlient_configuration>

The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable or disable RTP.

Boolean value: [0 | 1]

1

<use_extreme_db>

Use extreme database.

Boolean value: [0 | 1]

<when>

File I/O activities that result in a scan. Configure one of the following:

  • 0: scan files when processes read or write them and enable scanning network files.
  • 1: scan files when processes read them and disable scanning network files.
  • 2: scan files when processes write them and disable scanning network files.
  • 3: scan files when processes read or write them and disable scanning network files.
  • 4: scan files when processes read them and enable scanning network files.
  • 5: scan files when processes write them and enable scanning network files.

0

<ignore_system_when>

Configure one of the following:

  • 0: scan files when system processes read or write them.
  • 1: scan files when system processes read them.
  • 2: scan files when system processes write them.
  • 3: do not scan files when system processes read or write them.

2

<on_virus_found>

Configure the action FortiClient performs if it finds a virus:

  • 1: ignore infected files.
  • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
  • 5: deny access to infected files.

5

<popup_alerts>

If enabled, displays the Virus Alert dialog when a virus is detected while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Boolean value: [0 | 1]

1

<popup_registry_alerts>

Enable or disable pop-up registry alerts. This feature displays alerts if a process tries to change registry start items.

Boolean value: [0 | 1]

0

<bypass_java>

Enable or disable bypassing digitally signed Java processes.

Boolean value: [0 | 1]

0

<cloud_based_detection> elements

<on_virus_found>

The action FortiClient performs when a virus is detected by the Cloud Based Behavior Scan (CBBS). Select one of the following:

  • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
  • 5: deny access

<compressed_files> elements

<scan>

Enable or disable scanning of compressed files.

Boolean value: [0 | 1]

1

<maxsize>

Maximum compressed file size to scan in MB.

A number up to 65535. 0 means no limit.

2

<riskware> element

<enabled>

Enable or disable scanning of riskware files.

Boolean value: [0 | 1]

1

<adware> element

<enabled>

Enable or disable scanning of adware files.

Boolean value: [0 | 1]

1

<heuristic_scanning> elements

<level>

This setting applies to real-time and on-demand scans. Enter one of the following:

  • 0: normal
  • 1: advanced heuristics on highly infected systems
  • 2: Minos engine heuristics on highly infected systems
  • 3: both advanced heuristics on highly infected systems and engine heuristics
  • 4: both, without waiting to determine if system is highly infected

<action>

The action FortiClient performs if it finds a virus. Enter one of the following:

  • 0: warning
  • 1: deny access
  • 3: submit only

<scan_file_types> element

<all_files>

Enabled or disable scanning of all file types. If enabled, ignore the <file_types> element.

Boolean value: [0 | 1]

1

<scan_file_types><file_types> elements

<extensions>

Comma separated list of extensions to scan.

<include_files_with_no_extension>

Determines whether to scan files with no extension.

Boolean value: [0 | 1]

0

<exclusions> elements – FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. The following wildcards and variables are supported, among others:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %windir%
  • Path variable %allusersprofile%
  • Path variable %systemroot%
  • Path variable %systemdrive%

Combinations of wildcards and variables are not supported.

<file>

Full path to a file to exclude from RTP scanning. Element may be repeated to list more files.

<folder>

Full path to a directory to exclude from RTP scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

<exclusions> <file_types> element

<extensions>

Comma separated list of extensions to exclude from RTP scanning.

<sandboxing> element

<enabled>

Enable or disable FortiSandbox configuration.

Boolean value: [0 | 1]

<sandbox_address>

Specify the IP address for FortiSandbox.

<timeout>

Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

Range: 0-4294967295 in seconds

<use_sandbox_signatures>

Enable or disable the use of FortiSandbox signatures.

Boolean value: [0 | 1]

<check_for_signatures_every>

Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

Boolean value: [0 | 1]

<action_on_error>

Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

Boolean value: [0 | 1]

0

<scan_usb>

Enable or disable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

<scan_mapped_drives>

Enable or disable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

Real-time protection

The <real_time_protection> element configures how the scanner processes files used by programs running on the system.

Several tags are similar between this section and <on_demand_scanning>.

<forticlient_configuration>

<antivirus>

<real_time_protection>

<enabled>1</enabled>

<use_extreme_db>0</use_extreme_db>

<when>0</when>

<ignore_system_when>0</ignore_system_when>

<on_virus_found>0</on_virus_found>

<popup_alerts>0</popup_alerts>

<popup_registry_alerts>0</popup_registry_alerts>

<bypass_java>0</bypass_java>

<cloud_based_detection>

<on_virus_found></on_virus_found>

</cloud_based_detection>

<compressed_files>

<scan>1</scan>

<maxsize>2</maxsize>

</compressed_files>

<riskware>

<enabled>1</enabled>

</riskware>

<adware>

<enabled>1</enabled>

</adware>

<heuristic_scanning>

<level>3</level>

<action>0</action>

</heuristic_scanning>

<scan_file_types>

<all_files>1</all_files>

<file_types>

<extensions>.386,.ACE,.ACM,.ACV,.ACX,.ADT,.APP,.ASD,.ASP,.ASX,.AVB,.AX,.AX2,.BAT,.BIN,.BTM,.CDR,.CFM,.CHM,.CLA,.CLASS,.CMD,.CNN,.COM,.CPL,.CPT,.CPY,.CSC,.CSH,.CSS,.DEV,.DLL,.DOC,.DOT,.DRV,.DVB,.DWG,.EML,.EXE,.FON,.GMS,.GVB,.HLP,.HTA,.HTM,.HTML,.HTT,.HTW,.HTX,.HXS,.INF,.INI,.JPG,.JS,.JTD,.KSE,.LGP,.LIB,.LNK,.MDB,.MHT,.MHTM,.MHTML,.MOD,.MPD,.MPP,.MPT,.MRC,.OCX,.PIF,.PL,.PLG,.PM,.PNF,.PNP,.POT,.PPA,.PPS,.PPT,.PRC,.PWZ,.QLB,.QPW,.REG,.RTF,.SBF,.SCR,.SCT,.SH,.SHB,.SHS,.SHT,.SHTML,.SHW,.SIS,.SMM,.SWF,.SYS,.TD0,.TLB,.TSK,.TSP,.TT6,.VBA,.VBE,.VBS,.VBX,.VOM,.VSD,.VSS,.VST,.VWP,.VXD,.VXE,.WBK,.WBT,.WIZ,.WK,.WML,.WPC,.WPD,.WSC,.WSF,.WSH,.XLS,.XML,.XTP</extensions>

<include_files_with_no_extension>0</include_files_with_no_extension>

</file_types>

</scan_file_types>

<exclusions>

<file />

<folder />

<file_types>

<extensions />

</file_types>

</exclusions>

</real_time_protection>

</antivirus>

</forticlient_configuration>

The following table provides the XML tags for RTP, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable or disable RTP.

Boolean value: [0 | 1]

1

<use_extreme_db>

Use extreme database.

Boolean value: [0 | 1]

<when>

File I/O activities that result in a scan. Configure one of the following:

  • 0: scan files when processes read or write them and enable scanning network files.
  • 1: scan files when processes read them and disable scanning network files.
  • 2: scan files when processes write them and disable scanning network files.
  • 3: scan files when processes read or write them and disable scanning network files.
  • 4: scan files when processes read them and enable scanning network files.
  • 5: scan files when processes write them and enable scanning network files.

0

<ignore_system_when>

Configure one of the following:

  • 0: scan files when system processes read or write them.
  • 1: scan files when system processes read them.
  • 2: scan files when system processes write them.
  • 3: do not scan files when system processes read or write them.

2

<on_virus_found>

Configure the action FortiClient performs if it finds a virus:

  • 1: ignore infected files.
  • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
  • 5: deny access to infected files.

5

<popup_alerts>

If enabled, displays the Virus Alert dialog when a virus is detected while attempting to download a file via a web browser. The dialog allows you to view recently detected viruses, their locations, and statuses.

Boolean value: [0 | 1]

1

<popup_registry_alerts>

Enable or disable pop-up registry alerts. This feature displays alerts if a process tries to change registry start items.

Boolean value: [0 | 1]

0

<bypass_java>

Enable or disable bypassing digitally signed Java processes.

Boolean value: [0 | 1]

0

<cloud_based_detection> elements

<on_virus_found>

The action FortiClient performs when a virus is detected by the Cloud Based Behavior Scan (CBBS). Select one of the following:

  • 4: quarantine infected files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs.
  • 5: deny access

<compressed_files> elements

<scan>

Enable or disable scanning of compressed files.

Boolean value: [0 | 1]

1

<maxsize>

Maximum compressed file size to scan in MB.

A number up to 65535. 0 means no limit.

2

<riskware> element

<enabled>

Enable or disable scanning of riskware files.

Boolean value: [0 | 1]

1

<adware> element

<enabled>

Enable or disable scanning of adware files.

Boolean value: [0 | 1]

1

<heuristic_scanning> elements

<level>

This setting applies to real-time and on-demand scans. Enter one of the following:

  • 0: normal
  • 1: advanced heuristics on highly infected systems
  • 2: Minos engine heuristics on highly infected systems
  • 3: both advanced heuristics on highly infected systems and engine heuristics
  • 4: both, without waiting to determine if system is highly infected

<action>

The action FortiClient performs if it finds a virus. Enter one of the following:

  • 0: warning
  • 1: deny access
  • 3: submit only

<scan_file_types> element

<all_files>

Enabled or disable scanning of all file types. If enabled, ignore the <file_types> element.

Boolean value: [0 | 1]

1

<scan_file_types><file_types> elements

<extensions>

Comma separated list of extensions to scan.

<include_files_with_no_extension>

Determines whether to scan files with no extension.

Boolean value: [0 | 1]

0

<exclusions> elements – FortiClient supports using wildcards and path variables to specify files and folders to exclude from scanning. The following wildcards and variables are supported, among others:

  • Using wildcards to exclude a range of file names with a specified extension, such as Edb*.jrs
  • Using wildcards to exclude all files with a specified extension, such as *.jrs
  • Path variable %windir%
  • Path variable %allusersprofile%
  • Path variable %systemroot%
  • Path variable %systemdrive%

Combinations of wildcards and variables are not supported.

<file>

Full path to a file to exclude from RTP scanning. Element may be repeated to list more files.

<folder>

Full path to a directory to exclude from RTP scanning. Element may be repeated to list more directories. Shadow Copy format is supported, for example, <folder>\Device\HarddiskVolumeShadowCopy*</folder>. Shadow Copy is also known as Volume Snapshot Service, Volume Shadow Copy Service, or VSS. Wildcards are not accepted.

<exclusions> <file_types> element

<extensions>

Comma separated list of extensions to exclude from RTP scanning.

<sandboxing> element

<enabled>

Enable or disable FortiSandbox configuration.

Boolean value: [0 | 1]

<sandbox_address>

Specify the IP address for FortiSandbox.

<timeout>

Specify how long to wait in seconds for FortiSandbox results before allowing file access. When set to 0 seconds, file access is granted without waiting for FortiSandbox results.

Range: 0-4294967295 in seconds

<use_sandbox_signatures>

Enable or disable the use of FortiSandbox signatures.

Boolean value: [0 | 1]

<check_for_signatures_every>

Specify how often to check for FortiSandbox signatures when <use_sandbox_signatures> is set to 1.

Boolean value: [0 | 1]

<action_on_error>

Specify whether to block traffic when FortiSandbox finds errors. When this setting is 0, traffic is passed. When this setting is 1, traffic is blocked.

Boolean value: [0 | 1]

0

<scan_usb>

Enable or disable sending files from USB drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0

<scan_mapped_drives>

Enable or disable sending files from mapped drives to FortiSandbox for scanning. When this setting is 0, files are not scanned. When this setting is 1, files are scanned.

Boolean value: [0 | 1]

0